Microsoft issues patch for WMF vulnerability

Microsoft released seven security bulletins as part of its monthly update on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer.

The Redmond, Wash.-based software maker also rated another patch for a vulnerability in Windows Media Player 7.1 as "critical." The five other bulletins were rated "important."

The update for Internet Explorer follows a security advisory the company issued last week after the WMF flaw was discovered. The flaw exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

Exploiting the vulnerability means that someone could seize control of an affected system. Microsoft also recommended last week that users upgrade to IE6 with Service Pack 1.

Microsoft also patched Windows Media Player 7.1, on Windows 98/98SE/ME/2000, Windows Media Player 8 on Windows XP (up to and including SP1), Windows Media player 9 on Windows 2000/XP SP2/Server 2003, Windows Media Player 10 on 98/98SE/ME/XP (up to and including SP2).

The vulnerability in Windows Media Player has the potential to allow someone remotely take control of a system via a malicious images embedded in the customized versions of Windows Media Player.

"It could be exploited through Microsoft Internet Explorer because users often get media that is hosted on the Web," Microsoft said in a statement. "Microsoft Internet Explorer typically starts the media player automatically to open the media file which could allow attackers to host the malicious (customized file) on a Web page as a method of attack."

Microsoft rates as "critical" any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

[fear_and_loathing]

so...?

This is such a NON-story!
I think C|Net just like the hits these "Window's flaws" stories get.
Hey, C|Net guy... Mr. staff writer... you have to wait 'till M$
DOESN'T release a patch until it's too late to get us to fight.
DUH!

[W2Kuser]

M$ bugs like lax borders = homeland security threat

Despite all the hype about the Dept of Homeland Security running the first cyber attack simulation, it's amazing how DHS & the US Gov continue to allow this nonsense.

For over a decade we have watched Micro$oft issue panicked fixes for HUGE security flaws that enable global networks to be subverted and used to launch attacks.

The homeland security risks posed by Micro$oft's continuingly dismal record on quality testing & security is comparable to the risks from our ineffective border security - it's a wide open invitation for attack.

Bill Gates has had over a DECADE to demonstrate that private enterprise can fix this problem - and he has failed by every possible measure. And his recent actions to BAN SECURITY UPDATES to compuaters that fail Micro$osft's mysterious "verification" program further heighten the risk & urgency of this.

Since Gates refuses to address this problem voluntarily, it's clearly time for the Dept of Homeland Security to step in and mandate the fixes. Micro$soft's well documented predatory business model practically equates to a tax on the USA anyhow, so why not require those funds to be put to more responsible use?

If Gates had to sit in a jail cell until Windows was "clean", this catastrophy would be fixed next week.

[Macsaresafer]

You're right...

but instead of penalizing Microsoft, the government is still favoring
them:
http://news.com.com/2061-10796_3-6038713.html?
tag=nefd.pulse